Comment on page


Nocturne uses a variant of Schnorr signatures over Baby Jubjub. The secret key is derived from the spending key
, and the public key is the spending public key
Spelled out, signing takes as input a message hash
and proceeds as follows:
  1. 1.
    hSHA512(sk)h \leftarrow \text{SHA512}(sk)
  2. 2.
    sh[0:32]s \leftarrow h[0:32]
    (derive the signing secret key from the spending key)
  3. 3.
    xh[32:64]x \leftarrow h[32:64]
    (extract 32 bytes of entropy from the spending key)
  4. 4.
    vrandomBytes(32)v \leftarrow \text{randomBytes}(32)
    (sample another 32 random bytes)
  5. 5.
    nSHA512(x  v  m)modrFrn \leftarrow \text{SHA512}(x\ ||\ v\ ||\ m) \mod r \in \mathbb{F_r}
    ("reduce" hash output into
    , using extra entropy from
    addition to the rng)
  6. 6.
    Rn×GR \leftarrow n \times G
    (the rest is a "standard" Schnorr signature)
  7. 7.
    cH(PK.X  R.X  R.Y  m)c \leftarrow H(\text{PK.X}\ ||\ R.X\ ||\ R.Y\ ||\ m)
  8. 8.
    znskcz \leftarrow n - \text{sk} \cdot c
  9. 9.
    The signature is the pair
    (c,z)(c, z)
To verify, we take as input the message
and signature
(c,z)(c, z)
and do the following (this is the standard verification procedure):
  1. 1.
    Zz×GZ \leftarrow z \times G
  2. 2.
    Pc×PKP \leftarrow c \times \text{PK}
  3. 3.
    RZ+PR \leftarrow Z + P
  4. 4.
    cpH(PK.X  R.X  R.Y  m)cp \leftarrow H(\text{PK.X}\ ||\ R.X\ ||\ R.Y\ ||\ m)
  5. 5.
    Accept the signature if
    cp=ccp = c
    . Reject it otherwise.

Security Requirements

The signature scheme must be strongly unforgeable under chosen-message-attack (SUF-CMA).

Security Argument

Schnorr signature schemes are known to be secure under the discrete log assumption and the random-oracle model. In our case, it's secure based on the following assumptions:
  1. 1.
    Poseidon is a random oracle
  2. 2.
    The discrete log problem is infeasible in Baby Jubjub